CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 117 of 131
- CVE-2026-11518MEDIUMCVSS 4.3EG 4.32026-06-08
A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scr…
- CVE-2026-11520LOWCVSS 3.5EG 3.52026-06-08
A weakness has been identified in SourceCodester Inventory System 1.0. Affected by this issue is some unknown functionality of the file header.php. This manipulation causes cross site scripting. It is possible to initiate the attack remote…
- CVE-2026-11534LOWCVSS 3.5EG 3.52026-06-08
A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fna…
- CVE-2026-1161LOWCVSS 3.5EG 3.52026-01-19
A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The e…
- CVE-2026-11688HIGHCVSS 8.8EG 8.82026-06-08
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-11778MEDIUMCVSS 5.4EG 5.42026-07-03
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users t…
- CVE-2026-11860HIGHCVSS 7.5EG 7.52026-06-15
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization …
- CVE-2026-12129LOWCVSS 3.5EG 3.52026-06-12
A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/add_tod of the component Dashboard Interface. The manipulation of the argument to…
- CVE-2026-12130LOWCVSS 3.5EG 3.52026-06-12
A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle res…
- CVE-2026-12176MEDIUMCVSS 4.3EG 4.32026-06-14
A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the file /index.php. The manipulation of the argument action leads to cross site…
- CVE-2026-12202LOWCVSS 2.4EG 2.42026-06-15
A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. T…
- CVE-2026-12208MEDIUMCVSS 5.3EG 5.32026-06-15
A weakness has been identified in jsonata-js jsonata up to 2.2.0. The affected element is the function createFrame of the file src/jsonata.js of the component Function Binding Frame System. This manipulation causes improperly controlled mo…
- CVE-2026-12209MEDIUMCVSS 5.3EG 5.32026-06-15
A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly cont…
- CVE-2026-12242HIGHCVSS 8.8EG 8.82026-06-24
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and saniti…
- CVE-2026-12252HIGHCVSS 7.8EG 7.82026-07-04
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser) are vulnerable to untrusted JAR code execution. T…
- CVE-2026-12257CRITICALCVSS 9.3EG 9.32026-07-13
Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not proper…
- CVE-2026-1226HIGHCVSS 7.0EG 7.02026-02-11
CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
- CVE-2026-1245MEDIUMCVSS 6.5EG 6.52026-01-20
A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates th…
- CVE-2026-1281CRITICALCVSS 9.8EG 9.8⚠ KEV2026-01-29
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
- CVE-2026-12811MEDIUMCVSS 4.3EG 4.32026-06-22
A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of th…
- CVE-2026-12822HIGHCVSS 7.8EG 5.32026-06-22
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was con…
- CVE-2026-12866CRITICALCVSS 9.8EG 9.82026-06-23
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Becau…
- CVE-2026-13014CRITICALCVSS 9.2EG 9.22026-07-13
A vulnerability in Thales CERT "Suspicious" application =< 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files,…
- CVE-2026-13353HIGHCVSS 8.8EG 8.82026-07-11
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missin…
- CVE-2026-1340CRITICALCVSS 9.8EG 9.8⚠ KEV2026-01-29
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
- CVE-2026-13499MEDIUMCVSS 4.3EG 4.32026-06-28
A security flaw has been discovered in yashpokharna2555 restaurent-management-system. This impacts an unknown function of the file login_register.php of the component Registration Handler. Performing a manipulation of the argument Username…
- CVE-2026-13500HIGHCVSS 7.3EG 7.32026-06-28
A weakness has been identified in antlr ANTLR4 up to 4.13.2. Affected is an unknown function of the file tool/src/org/antlr/v4/codegen/model/OutputFile.java of the component Grammar Action Block Handler. Executing a manipulation can lead t…
- CVE-2026-13504LOWCVSS 3.5EG 3.52026-06-28
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack ma…
- CVE-2026-13536MEDIUMCVSS 4.3EG 4.32026-06-29
A vulnerability has been found in GotoHTTP up to 10.2. This issue affects some unknown processing of the file /reg.12x. The manipulation of the argument sn leads to cross site scripting. The attack may be initiated remotely. The exploit ha…
- CVE-2026-13554MEDIUMCVSS 4.3EG 4.32026-06-29
A vulnerability has been found in itsourcecode Online Hotel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/mod_amenities/controller.php?action=add of the component POST Request Handler.…
- CVE-2026-13556MEDIUMCVSS 4.3EG 4.32026-06-29
A vulnerability was determined in itsourcecode Online Hotel Management System 1.0. This affects an unknown part of the file /admin/mod_users/controller.php?action=edit of the component POST Request Handler. This manipulation of the argumen…
- CVE-2026-13557MEDIUMCVSS 4.3EG 4.32026-06-29
A vulnerability was identified in itsourcecode Online Hotel Management System 1.0. This vulnerability affects unknown code of the file /admin/mod_room/controller.php?action=add of the component POST Request Handler. Such manipulation of th…
- CVE-2026-13558LOWCVSS 3.5EG 3.52026-06-29
A security flaw has been discovered in CodeAstro Complaint Management System 1.0. This issue affects some unknown processing of the file /report/addreport of the component Report Handler. Performing a manipulation of the argument Report Ti…
- CVE-2026-13567MEDIUMCVSS 4.3EG 4.32026-06-29
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmess…
- CVE-2026-13570LOWCVSS 3.5EG 3.52026-06-29
A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/users_handler.php of the component User Registration Endpoint. Performing a manipulation of the argument full_…
- CVE-2026-13749HIGHCVSS 8.8EG 8.82026-06-29
Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying …
- CVE-2026-1421LOWCVSS 3.5EG 3.52026-01-26
A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit ha…
- CVE-2026-14383HIGHCVSS 8.8EG 8.82026-07-02
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-14407HIGHCVSS 8.8EG 8.82026-07-02
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-14439CRITICALCVSS 9.4EG 9.42026-07-02
A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation…
- CVE-2026-1444LOWCVSS 2.4EG 2.42026-01-26
A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads t…
- CVE-2026-14453CRITICALCVSS 9.6EG 9.62026-07-13
This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no…
- CVE-2026-14633MEDIUMCVSS 4.3EG 4.32026-07-04
A vulnerability was determined in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 49b20f53de2b7ec34e920b11c863f1491d911a04. This affects an unknown part of the file /index.php/api/product/set of the component Hidden REST API Endpoint. Th…
- CVE-2026-14634MEDIUMCVSS 4.3EG 4.32026-07-04
A vulnerability was identified in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 213babdbaa949e94557246414db0130e01394517. This vulnerability affects the function checkForPostRequests of the file application/core/MY_Controller.php of th…
- CVE-2026-14655LOWCVSS 2.4EG 2.42026-07-04
A weakness has been identified in code-projects Assessment Management 1.0. Affected by this issue is some unknown functionality of the file admin/view-users.php. Executing a manipulation of the argument User can lead to cross site scriptin…
- CVE-2026-14656MEDIUMCVSS 4.3EG 4.32026-07-04
A security vulnerability has been detected in code-projects Assessment Management 1.0. This affects an unknown part of the file /admin/remove-user.php. The manipulation of the argument ID leads to cross site scripting. It is possible to in…
- CVE-2026-14691MEDIUMCVSS 6.3EG 6.32026-07-05
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function update_settings_info of the file classes/SystemSettings.php of the component Setting Handler. Such ma…
- CVE-2026-14704MEDIUMCVSS 4.3EG 4.32026-07-05
A vulnerability was found in stephen-kruger bluebox up to 4.5.12. Affected by this vulnerability is an unknown functionality. Performing a manipulation of the argument code results in cross site scripting. It is possible to initiate the at…
- CVE-2026-14722HIGHCVSS 7.3EG 7.32026-07-05
A vulnerability was found in tiddly-gittly TidGi-Desktop up to 0.13.0. This impacts an unknown function of the file src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts of the component Git Repository Import. The manipulation resul…
- CVE-2026-14749HIGHCVSS 7.3EG 7.32026-07-05
A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →